Results 1  10
of
31
Secret Key Agreement by Public Discussion From Common Information
 IEEE Transactions on Information Theory
, 1993
"... . The problem of generating a shared secret key S by two parties knowing dependent random variables X and Y , respectively, but not sharing a secret key initially, is considered. An enemy who knows the random variable Z, jointly distributed with X and Y according to some probability distribution PX ..."
Abstract

Cited by 434 (18 self)
 Add to MetaCart
(Show Context)
. The problem of generating a shared secret key S by two parties knowing dependent random variables X and Y , respectively, but not sharing a secret key initially, is considered. An enemy who knows the random variable Z, jointly distributed with X and Y according to some probability distribution PXY Z , can also receive all messages exchanged by the two parties over a public channel. The goal of a protocol is that the enemy obtains at most a negligible amount of information about S. Upper bounds on H(S) as a function of PXY Z are presented. Lower bounds on the rate H(S)=N (as N !1) are derived for the case where X = [X 1 ; : : : ; XN ], Y = [Y 1 ; : : : ; YN ] and Z = [Z 1 ; : : : ; ZN ] result from N independent executions of a random experiment generating X i ; Y i and Z i , for i = 1; : : : ; N . In particular it is shown that such secret key agreement is possible for a scenario where all three parties receive the output of a binary symmetric source over independent binary symmetr...
Experimental Quantum Cryptography
 Journal of Cryptology
, 1992
"... We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the ..."
Abstract

Cited by 266 (20 self)
 Add to MetaCart
We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...
Using Secure Coprocessors
, 1994
"... The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between p ..."
Abstract

Cited by 165 (8 self)
 Add to MetaCart
(Show Context)
The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between physically separated systems, but this is not enough: we must be able to guarantee the privacy of the cryptographic keys and the integrity of the cryptographic functions, in addition to the integrity of the security kernel and access control databases we have on the machines. Physical security is a central assumption upon which secure distributed systems are built; without this foundation even the best cryptosystem or the most secure kernel will crumble. In this thesis, I address the distributed security problem by proposing the addition of a small, physically secure hardware module, a secure coprocessor, to standard workstations and PCs. My central axiom is that secure coprocessors are able to maintain the privacy of the data they process. This thesis attacks the distributed security problem from multiple sides. First, I analyze the security properties of existing system components, both at the hardware and
Quantum cryptography with coherent states
 Physical Review A
, 1995
"... The safety of a quantum key distribution system relies on the fact that any eavesdropping attempt on the quantum channel creates errors in the transmission. For a given error rate, the amount of information that may have leaked to the eavesdropper depends on both the particular system and the eavesd ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
(Show Context)
The safety of a quantum key distribution system relies on the fact that any eavesdropping attempt on the quantum channel creates errors in the transmission. For a given error rate, the amount of information that may have leaked to the eavesdropper depends on both the particular system and the eavesdropping strategy. In this work, we discuss quantum cryptographic protocols based on the transmission of weak coherent states and present a new system, based on a symbiosis of two existing ones, and for which the information available to the eavesdropper is significantly reduced. This system is therefore safer than the two previous ones. We also suggest a possible 1 experimental implementation.
Perfect Cryptographic Security from Partially Independent Channels
 Proc. 23rd ACM Symposium on Theory of Computing
, 1991
"... Several protocols are presented that allow two parties Alice and Bob not sharing any secret information initially (except possibly a short key to be used for authentication) to generate a long shared secret key such that even an enemy Eve with unlimited computing power is unable to obtain a nonnegl ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
Several protocols are presented that allow two parties Alice and Bob not sharing any secret information initially (except possibly a short key to be used for authentication) to generate a long shared secret key such that even an enemy Eve with unlimited computing power is unable to obtain a nonnegligible amount of information (in Shannon's sense) about this key. Two different models are considered. In a first model we assume that Alice can send information to Bob over a noisy main channel but that Eve is able to receive the same information over a parallel independent noisy channel from Alice to Eve. In a second, more general model we assume that Alice, Bob and Eve receive the output of a random source (e.g., a satellite broadcasting random bits) over three independent individual channels. The condition that the channels be independent can be replaced by the condition that they be independent only to a known, arbitrarily small degree. We demonstrate that even when Eve's channel is sup...
Remote electronic gambling.
 In 13th Annual Computer Security Applications Conference,
, 1997
"... ..."
(Show Context)
Sorting Out ZeroKnowledge
, 1990
"... this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these tw ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
this paper is to explain the various notions involved and to offer a new terminology that emphasizes their differences. There are two orthogonal aspects to zeroknowledge interactive proofs. One is the notion of zeroknowledge and the other is the notion of interactive proof. Unfortunately, these two notions are often thought to be inseparable. This confusion is reminiscent of the long lasting confusion among many people between publickey encryption and digital signature. It is clear that interactive proofs make sense independently of zeroknowledge (after all, Babai's ArthurMerlin games [Ba] were invented independently of [GMR1]), but it is more subtle to see that a protocol could be zeroknowledge without being an interactive
Information gain in quantum eavesdropping
 Journal of Modern Optics
, 1994
"... Abstract. We analyse the information obtained by an eavesdropper during the various stages of a quantum cryptographic protocol associated with key distribution. We provide both an upper and a lower limit on the amount of information that may have leaked to the eavesdropper at the end of the key dist ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We analyse the information obtained by an eavesdropper during the various stages of a quantum cryptographic protocol associated with key distribution. We provide both an upper and a lower limit on the amount of information that may have leaked to the eavesdropper at the end of the key distribution procedure. These limits are restricted to intercept/resend eavesdropping strategies. The upper one is higher than has been estimated so far, and should be taken into account in order to guarantee the secrecy of the final key, which is subsequently obtained via the socalled privacy amplification. 1
OnLine Multiple Secret Sharing
, 1996
"... . A protocol for computationally secure "online" secretsharing is presented, based on the intractability of the DiffieHellman problem, in which the participants ' shares can be reused. Introduction. Cachin [1] presents a protocol for "online" secret sharing with gen ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
. A protocol for computationally secure "online" secretsharing is presented, based on the intractability of the DiffieHellman problem, in which the participants ' shares can be reused. Introduction. Cachin [1] presents a protocol for "online" secret sharing with general access structures, with shares as short as the secret and in which participants may be dynamically added or deleted without having to redistribute new shares secretly to the existing participants. These capabilities are gained by storing additional authentic, but not secret, information in a publicly accessible central location. This proposal does not allow the shares to be reused after the secret has been reconstructed without a further distributed computation subprotocol, although there is a modification allowing a predetermined number of multiple secrets to be reconstructed in a specified order. In this letter we present a modification of the protocol which allows for an arbitrary number of secrets to be ...